Hello.

The command to set the anti-spam type does not exist prior to JunOS 18. Any advice on how to proceed other than telling the system to not validate the package?

Model: srx345-dual-ac
Junos: 15.1X49-D160.2
JUNOS Software Release [15.1X49-D160.2]

user@FW2# set security utm ?
Possible completions:
> application-proxy Application proxy settings
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> custom-objects Custom-objects settings
> feature-profile Feature-profile settings
> ipc IPC settings
> traceoptions Trace options for utm
> utm-policy Configure profile
[edit]

However it is present on the following

Model: srx345-dual-ac
Junos: 18.2R3-S2.9
JUNOS Software Release [18.2R3-S2.9]

user@FW9# set security utm default-configuration anti-spam type anti-spam-none ?
Possible completions:
<[Enter]> Execute this command
address-blacklist Anti-spam blacklist
address-whitelist Anti-spam whitelist
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> sbl SBL settings
> traceoptions Trace options for anti-spam feature

Thank you

Looking at the diagram, I suspect that the cluster did not failover to node b with the loss of the link on node a to cs A.

When the link is down run this to verify

show chassis cluster status

In a standard active/passive cluster the links on the passive device do not accept or pass traffic.

They are in standby mode.

So the key is to have things set in a way that when failures to/from the active node occur they cause the cluster to failover to the passive device and allow the traffic.

for example, ping from server 172.16.0.135 to client 172.30.3.70 is showing packet loss and high response time but at the same time, ping from server 172.16.0.135 to client 172.30.3.71 is not showing packet loss.

Well the network path for both of these tests is the same

The source side server is the same for both

Thus the only difference is the destination client address

So it would seem the issue would be with some client specific configuration or client specific connection issue like cabling or port not the general vpn path that both share.

A minor issue is these two interfaces being put in the same subnet.  

set interfaces st0 unit 0 family inet address 172.30.3.66/27
set interfaces vlan unit 0 family inet address 172.30.3.65/27

The st0 tunnel interfaces are virtual link interfaces that should be thought as a point to point link over the vpn tunnel created.  In your case there is not vitual interface on the other side like another srx so any address or even having this unnumbered to the vpn interface is fine.

But setting this to an address that overlaps the internal vlan would not be a good practice.  However, as long as it was not duplicated or accidently used as a routing gateway no harm should occur.

Folks,

I have an older SRX that uses the old style DHCP configuration under system->services->dhcp and it works great. I have some static bindings that have a unique DNS server required for my particular use case. For example:

        static-binding b0:a7:37:73:ab:48 {
                fixed-address {
                    10.0.0.46;
                }
                host-name remote-basement;
                name-server {
                    4.2.2.2;
                }
                router {
                    10.0.0.1;
                }

But, my general pool and other static bindings use the more 'global' pool settings.

dhcp {
            maximum-lease-time 345600;
            default-lease-time 259200;
            domain-name lab.net;
            name-server {
                10.0.0.2;
            }
             pool 10.0.0.0/24 {
                   address-range low 10.0.0.2 high 10.0.0.254;
            name-server {
               10.0.0.2;
               }
            router {
               10.0.0.1;
                }
            server-identifier 10.0.0.1;
            }

Now that I'm upgrading to a 300 series with 18.2, how do I do this?

[edit access address-assignment pool mainnet]
SRX300# show 
family inet {
    network 10.0.0.0/24;
    range general {
        low 10.0.0.100;
        high 10.0.0.199;
    }
    dhcp-attributes {
        maximum-lease-time 86400;
        domain-name lab.net;
        name-server {
            10.0.0.2;
        }
        router {
            10.0.0.1;
        }
    }
    host alder {
        hardware-address 70:4d:7a:29:6f:f1;
        ip-address 10.0.0.2;
        ! I want a unique DNS server here
    }
}

I want a unique DNS server for this particular static binding, but there does NOT appear to be an option to do this under the host name hierarchy.

SRX300# set family inet host alder ?
Possible completions:<[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  hardware-address     Hardware address
  ip-address           Reserved address
  |                    Pipe through a command

It appears that I can only set the hardware-address and the ip-address at this level.

Any recommendations on how best to accomplish this with the newer DHCP server?

Thanks.

Hello Steve,

Please find result "show chassis cluster status" before and after i shutdown/disable the interface 3/1/3 in CS A

[before]

root@FW03> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 200 primary no no
node1 100 secondary no no

Redundancy group: 1 , Failover count: 155
node0 200 primary yes no
node1 100 secondary yes no

{primary:node0}
root@FW03>

[after]

root@FW03> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 200 primary no no
node1 100 secondary no no

Redundancy group: 1 , Failover count: 156
node0 0 secondary yes no
node1 100 primary yes no

{primary:node0}
root@FW03>

Thanks for your reply.

Here is the information. There are a couple of posts from folks who experienced similar behavior where the Pulse Client was the culprit. For them the solution was to use version 9.1.2 built in December 2019. Although my build of 9.1.3 is technically newer it was built earlier than December 2019. I will try the latest 9.1.4 #1761 built January 2020.

Unfortunately I am running Windows 10 1909 and I don't want to change the policy of using an earlier build of the client than 9.1.3. I have a need to use the Pulse Client to access sites other than what the SRX is protecting.

What I meant by logs was I enabled traceoptions where I set flags to all and filtered source-prefix from my VPN subnet and destination-prefix from my protected subnet. The only thing I did was ping an IP and there are over 17K rows of logs in a file that's over 700KB. Now that I take a look further, if I remove FLOW STUB, empty lines, jsf close check, and jsf int check from the log there's only 216 entries. So I'll mull over that.

Thanks!

> show configuration access
profile DYN-VPN-access-profile {
    client userone {
        firewall-user {
            password "**"; ## SECRET-DATA
        }
    }
    client usertwo {
        firewall-user {
            password "**"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool DYN-VPN-address-pool;
    }
}
address-assignment {
    pool UserPool {
        family inet {
            network 172.20.127.0/24;
            range 1 {
                low 172.20.127.100;
                high 172.20.127.199;
            }
            dhcp-attributes {
                maximum-lease-time 86400;
                grace-period 1800;
                name-server {
                    172.20.127.254;
                }
                router {
                    172.20.127.254;
                }
            }
        }
    }
    pool DYN-VPN-address-pool {
        family inet {
            network 192.168.4.0/24;
            range r1 {
                low 192.168.4.101;
                high 192.168.4.109;
            }
            xauth-attributes {
                primary-dns 1.1.1.1/32;
            }
        }
    }
}
firewall-authentication {
    web-authentication {
        default-profile DYN-VPN-access-profile;
    }
}> show configuration security ike
policy IKE-DYN-VPN-policy {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "**"; ## SECRET-DATA
}
gateway DYN-VPN-local-gw {
    ike-policy IKE-DYN-VPN-policy;
    dynamic {
        hostname DYNvpn;
        connections-limit 2;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    xauth access-profile DYN-VPN-access-profile;
}> show configuration security ipsec
policy IPSEC-DYN-VPN-policy {
    proposal-set standard;
}
vpn DYN-VPN {
    ike {
        gateway DYN-VPN-local-gw;
        ipsec-policy IPSEC-DYN-VPN-policy;
    }
    establish-tunnels immediately;
}> show configuration security policies
from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy DYN-VPN-policy {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DYN-VPN;
                }
            }
            log {
                session-close;
            }
            count;
        }
    }
}> show configuration security dynamic-vpn
access-profile DYN-VPN-access-profile;
clients {
    all {
        remote-protected-resources {
            172.20.127.0/24;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn DYN-VPN;
        user {
            userone;
            usertwo;
        }
    }
}

The SRX was periodically failing to access DNS entries and the configuration was reloading many times. I thought it was an issue with our ISP but it turned out the hardware was questionable. I replaced it with a spare but it was running 12.3X48 instead of 12.1X46.

Now JDHCP server binding shows half the session ids in the low hundreds and the other are below 50  whereas before the ids were in the thousands.

I got it to work by using a spare 240 running 12.3X48.

When I was having trouble with accessing my protected resources using the Pulse Client I decided to try Pulse Secure's Pulse Connect Secure. It works but I have to choose between PCS or Dynamic VPN. I wanted to use a non-standard port for PCS but I couldn't get the client to use a non-standard port and authenticate. Although I am able to use a web browser and connect through the non-standard port.

Questions:

• Has anyone tried using a non-standard port for the URL on SRX or SSL-VPN connection types? No replies from Pulse Secure's Community forums.
• Is it possible to configure and use a non-standard port for SRX Dynamic VPN?

Thanks!

Hello

I was on an working SRX 1500 chassis cluster and could see the em1.32768 interface with IP 192.168.1.2/24.

The SRX 1500 has a dedicated HA control port which is em0.

On the bigger chassis, like the 3400, I see a couple of ports on the far right of the switch fabric board (SFB) called 'Chassis cluster control' 0 and 1.

But the cabling article here shows you only use port 0 on the 3400 - https://www.juniper.net/documentation/en_US/junos/topics/task/operational/chassis-cluster-srx-series-hardware-connecting.html

This article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB15356 - says to use:

Chassis Cluster Control
Port 0 (copper or fiber) on SFB    => em0
Port 1 (copper or fiber) on SFB    => em1 

(Which appears to contradict  https://www.juniper.net/documentation/en_US/junos/topics/task/operational/chassis-cluster-srx-series-hardware-connecting.html ?)

And this article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB21706&cat=SRX_5600_1&actp=LIST - says there is no correlation between em0 and em1 and physical ports.

I'm confused...

Any further explanation would be great, and also if someone can tell me specifically what em1.32768 is on the SRX1500 chassis cluster I'd appreciate it.

Thanks!

Thanks for the replies. I did some searching and found a few limitations I'm not sure if there's a better work around to. I tried switching to transparent mode to be able to have everything use irb.100 as a gateway but then found that NAT isn't supported. Then also ran into not being able to have Layer 2 and Layer 3 zones have policies between them. If I make an interface L3 and just put a switch on it with my devices on the switch everything works fine. Is there a way to have multiple interfaces as access ports with a RVI as the gateway that can NAT to a Layer 3 interface?

Here is what I wanted to do that I'm running  into the NAT issue. Everything on vlan 100 can communicate and gets proper DHCP, interface ge-0/0/5 to the modem get proper DHCP and default route, I'm able to ping out to 8.8.8.8 for example from the SRX but not from my PC. I can ping the SRX (192.168.10.1 and other devices) from my PC.

[edit]
version 18.2R3-S2.9;
system {
    login {
        user user {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$6$tMMHKT.R$OTP"; ## SECRET-DATA
            }
        }
    }
    root-authentication {
        encrypted-password "$6$e549kGC"; ## SECRET-DATA
    }
    host-name srx-rtr1;
    auto-snapshot;
    domain-name home.net;
    time-zone America/New_York;
    name-server {
        75.75.75.75;
        75.75.76.76;
    }
    services {
        ssh {
            root-login deny;
        }
        netconf {
            ssh;
        }
        dhcp-local-server {
            group DHCP_Group {
                interface irb.100;
            }
        }
    }
    syslog {
        archive size 100k files 5;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            security none;
        }
        file security {
            authorization any;
            firewall any;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
security {
    address-book {
        HOME {
            address Home_net 192.168.10.0/24;
        }
    }
    flow {
        traceoptions {
            file flow-trace;
            flag basic-datapath;
        }
    }
    screen {
        ids-option SCREEN_UNTRUST {
            icmp {
                ip-sweep;
                ping-death;
            }
            tcp {
                port-scan;
                winnuke;
                tcp-sweep;
            }
            udp {
                udp-sweep;
                port-scan;
            }
        }
    }
    nat {
        source {
            rule-set TRUST-to-UNTRUST {
                from zone TRUST;
                to zone UNTRUST;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy TRUST-to-UNTRUST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
    zones {
        security-zone UNTRUST {
            screen SCREEN_UNTRUST;
            interfaces {
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone TRUST {
            interfaces {
                irb.100 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members 100;
                }
            }
        }
    }
    ge-0/0/5 {
        description "Connection to modem";
        unit 0 {
            family inet {
                dhcp {
                    no-dns-install;
                }
            }
        }
    }
    irb {
        unit 100 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
}
policy-options {
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
    prefix-list localhost {
        127.0.0.0/8;
    }
    prefix-list DNS-Servers {
        apply-path "system name-server <*>";
    }
    prefix-list router-ipv4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list Mgmt-net {
        192.168.10.0/24;
    }
    prefix-list snmp-community-clients {
        apply-path "snmp community <*> clients <*>";
    }
    prefix-list router-ipv4-routing-instances {
        apply-path "routing-instances <*> interface <*> unit <*> family inet address <*>";
    }
}
access {
    address-assignment {
        pool DHCP_Pool {
            family inet {
                network 192.168.10.0/24;
                range DHCP_Range {
                    low 192.168.10.20;
                    high 192.168.10.100;
                }
                dhcp-attributes {
                    server-identifier 192.168.10.1;
                    domain-name jupiter.home.net;
                    name-server {
                        75.75.75.75;
                        75.75.76.76;
                        8.8.8.8;
                    }
                }
            }
        }
    }
}
vlans {
    home_mgmt {
        vlan-id 100;
        l3-interface irb.100;
    }
}

If I change ge-0/0/0 to inet and put irb.100 address on it and connect a switch with my devices on it and add ge-0/0/0 to the TRUST zone everything works fine with the same NAT config. I'm  not sure if there's a proper way to configure it to do what I wanted or if that's just not supported anymore. I thought that was supported on the older code.

Hi,

Thanks for the response.

I cant see the config you have provided.

set security utm ?
Possible completions:
> application-proxy Application proxy settings
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> custom-objects Custom-objects settings
> feature-profile Feature-profile settings
> ipc IPC settings
> traceoptions Trace options for utm
> utm-policy Configure profile

this is the current config i have 
feature-profile {
anti-virus {
type sophos-engine;
}
anti-spam {
sbl;
}
}
utm-policy ticl-lan-policy {
anti-virus {
http-profile junos-sophos-av-defaults;
ftp {
upload-profile junos-sophos-av-defaults;
download-profile junos-sophos-av-defaults;
}
smtp-profile junos-sophos-av-defaults;
pop3-profile junos-sophos-av-defaults;
imap-profile junos-sophos-av-defaults;
}
anti-spam {
smtp-profile junos-as-defaults;
}
}

Hi!

Below is how you need to cable it up for a SRX1500.

KR

Adam

Hello,

I'm trying to create an address-book with admin's IP addresses from different subnets/vlan, but with problems..

root@SRX2# show security address-book admins 
address admin-cable 192.168.3.10/32;
address admin-wifi 192.168.4.10/32;

root@SRX2# show security policies from-zone mobile to-zone managment policy permit-admins          
match {
    source-address admins;
    destination-address any;
    application any;
}
then {
    permit;
}


root@SRX2# commit 


[edit security policies from-zone mobile to-zone managment]
  'policy permit-admins'
    Source address or address_set (admins) not found.
error: configuration check-out failed

The address-book has not be found when commiting. How to create such address-book?

Another example/use case would be, I want to only provide option 67 for a couple of devices based on their hardware address.

With the new DHCP configuration, how do we do that?

Hi Ajohnson,

If replacing irb with ge-0/0/0 works fine, I suspect that the switching mode might not have kicked in.

Please run the following command and look for switching mode. It should be set to "Switching" .  

> show ethernet-switching global-information

Global Configuration:

MAC aging interval : 300

MAC learning : Enabled

MAC statistics : Disabled

MAC limit Count : 16383

MAC limit hit : Disabled

MAC packet action drop : Disabled

LE aging time : 1200

LE VLAN aging time : 1200

Global Mode : Switching 

If this setting looks correct, please reboot the device once. 

If this setting does not look correct , set it manually and then reboot it.

set protocols l2-learning global-mode switching

Thanks!

Hi Gabriel,

Greetings, Is this particular address book Attached to a zone? 

for example:

Attach the address book to a security zone.

Regards,
Lil Dexx JNCIE-ENT#863

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \/

So, I'm a little annoyed...

I opened up a ticket with JTAC to go over the configuration, and it looks like the *newer* JDHCP Server configuration will NOT support having unique dhcp options for any static reservations.

So basically, we are losing functionality with the  *newer* method of DHCP.

We could do this with the old JUNOS configuration with:

system {
    services {
dhcp static-binding 18:a6:f7:56:21:18
     {
     fixed-address {
        10.0.0.5;
        }
host-name tplink-office;
name-server {
    10.0.0.2;
}
router {
    10.0.0.1;
}
option 67 string http://192.168.100.130/bootstrap;
}

JTAC's solution is to create another pool and change my subnet strategy, which I'm sorry, is really not a good answer. 

Can someone please tell me this is all wrong and that there is a way to deal with this? I'm shocked that this doesn't have a solution.

I could have a small Linux box to do this...but for a branch site, I don't want to put compute out there, just for DHCP services. That is just crazy.

-J

Hi

I've seen a notes and videos on logging security policies for accepted and denied traffice. I'm not really seeing any entries even after sending pings manually from a device that should hit that policy. Here's my config, any thoughts?

archive size 2m files 3 world-readable;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
inactive: file interactive-commands {
interactive-commands any;
}
file accepted-traffic {
any any;
match RT_FLOW_SESSION_DENY;
}
inactive: file blocked-traffic {
any any;
match RT_FLOW_SESSION_DENY;
}

mode event;
format syslog;
report;
source-interface ge-0/0/0.0;

I do see this when I run the show security log. I'm not seeing an enabled security logging.

run show security log
Security logging is disabled

thanks

john

Hi

JT2014,

Please make sure you have the logging enabled on the deny policy or if there is no specific deny policy have it enabled on the default deny policy as shown in below kb;

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28109&actp=METADATA

Regards,

Shailesh